Re: [squid-users] OpenBSD + PF + Squid: forwarding loop

From: Lo�c BLOT <>
Date: Sat, 01 Jun 2013 01:07:59 +0200

Instead of your ugly:
pass quick on lo0
skip lo0
which is better :)

You must redirect trafic on your lan interface directed to any remote 80
to your lan IP:3129 and also allow tcp 3129 on pf

pass out quick on $lan_if proto tcp to port 80 rdr-to $lan_ip port 3129
pass in quick on $lan_if proto tcp to $lan_ip port 3129

You mustn't redirecto to localhost iface it's bad.

For normal and transparent you are correct. Have you compiled squid with
--enable-pf-transparent option ? (/usr/local/squid/sbin/squid -v show

Best regards,
Loïc BLOT, 
UNIX systems, security and network expert
Le vendredi 31 mai 2013 à 15:19 -0700, Rob Sheldon a écrit :
> On 2013-05-31 5:27, Marko Cupać wrote:
> > 
> > Try setting squid to listen on loopback address:
> > 
> > http_port intercept
> > 
> > Redirect web traffic to loopback address in pf:
> > pass in quick on $if_int inet proto tcp from to any \
> > 	port { www https } rdr-to port 3128
> No joy.
> I'm pretty sure that I've just ruled out that it's anything at all to 
> do with pf or routing, other than maaaaybe the pooled outbound 
> connections (which only leaves me even more stumped). I enabled all 
> traffic in and out of loopback:
> pass quick on lo0 proto tcp from any to any
> ...and I commented out the rdr rule(s) for anything Squid-related. Just 
> for extra measure I also commented out all other rdr rules, still no 
> change.
> I set up the following http_port config in Squid:
> http_port
> http_port intercept
> Squid should be doing normal proxying on localhost 3128 and 
> interception proxying on 3139, yes?
> To test it, on the firewall I, "telnet localhost 3128", and "GET 
> HTTP/1.0", and this works as expected. BUT, 
> "telnet localhost 3139", and "GET / HTTP/1.0" followed by "Host: 
>", and the forwarding loop error occurs.
> This is driving me batty.
> I also tcpdump'd lo0 while testing both 3128 and 3139, and I'm not 
> seeing any traffic outbound to 80 from that interface ... so I think 
> Squid must be attaching to another interface for outbound requests? 
> There doesn't seem to be a configuration option for that, it's possible 
> Squid's getting stuck in the pooled outbound interfaces somehow ... (I 
> did also try a site that wouldn't be cached by Squid, just to be sure.)
> How can I troubleshoot this further? Is there a good way to look inside 
> of what Squid's doing when receiving and sending out requests?
> - R.

Received on Fri May 31 2013 - 23:01:22 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 01 2013 - 12:00:07 MDT